[Security] Don't allow empty username or empty password

Bikal Basnet · Bikal Basnet · commit 1a80ed6f7dbf · 2022-04-20T11:21:32.000+07:00
diff --git a/src/Symfony/Component/Security/Http/Authenticator/JsonLoginAuthenticator.php b/src/Symfony/Component/Security/Http/Authenticator/JsonLoginAuthenticator.php
@@ -147,8 +147,8 @@ private function getCredentials(Request $request)
         try {
             $credentials['username'] = $this->propertyAccessor->getValue($data, $this->options['username_path']);
 
-            if (!\is_string($credentials['username'])) {
-                throw new BadRequestHttpException(sprintf('The key "%s" must be a string.', $this->options['username_path']));
+            if (!\is_string($credentials['username']) || $credentials['username'] === "") {
+                throw new BadRequestHttpException(sprintf('The key "%s" must be a non empty string.', $this->options['username_path']));
             }
 
             if (\strlen($credentials['username']) > Security::MAX_USERNAME_LENGTH) {
@@ -161,8 +161,8 @@ private function getCredentials(Request $request)
         try {
             $credentials['password'] = $this->propertyAccessor->getValue($data, $this->options['password_path']);
 
-            if (!\is_string($credentials['password'])) {
-                throw new BadRequestHttpException(sprintf('The key "%s" must be a string.', $this->options['password_path']));
+            if (!\is_string($credentials['password']) || $credentials['password'] === "") {
+                throw new BadRequestHttpException(sprintf('The key "%s" must be a non empty string.', $this->options['password_path']));
             }
         } catch (AccessException $e) {
             throw new BadRequestHttpException(sprintf('The key "%s" must be provided.', $this->options['password_path']), $e);
diff --git a/src/Symfony/Component/Security/Http/CHANGELOG.md b/src/Symfony/Component/Security/Http/CHANGELOG.md
@@ -1,6 +1,11 @@
 CHANGELOG
 =========
 
+6.1
+---
+
+* Require non-empty-string username and password when using `JsonLoginAuthenticator`
+
 6.0
 ---
 
diff --git a/src/Symfony/Component/Security/Http/Tests/Authenticator/JsonLoginAuthenticatorTest.php b/src/Symfony/Component/Security/Http/Tests/Authenticator/JsonLoginAuthenticatorTest.php
@@ -116,10 +116,16 @@ public function provideInvalidAuthenticateData()
         yield [$request, 'The key "password" must be provided'];
 
         $request = new Request([], [], [], [], [], ['HTTP_CONTENT_TYPE' => 'application/json'], '{"username": 1, "password": "foo"}');
-        yield [$request, 'The key "username" must be a string.'];
+        yield [$request, 'The key "username" must be a non empty string.'];
 
         $request = new Request([], [], [], [], [], ['HTTP_CONTENT_TYPE' => 'application/json'], '{"username": "dunglas", "password": 1}');
-        yield [$request, 'The key "password" must be a string.'];
+        yield [$request, 'The key "password" must be a non empty string.'];
+
+        $request = new Request([], [], [], [], [], ['HTTP_CONTENT_TYPE' => 'application/json'], '{"username": "", "password": ""}');
+        yield [$request, 'The key "username" must be a non empty string.'];
+
+        $request = new Request([], [], [], [], [], ['HTTP_CONTENT_TYPE' => 'application/json'], '{"username": "rimas", "password": ""}');
+        yield [$request, 'The key "password" must be a non empty string.'];
 
         $username = str_repeat('x', Security::MAX_USERNAME_LENGTH + 1);
         $request = new Request([], [], [], [], [], ['HTTP_CONTENT_TYPE' => 'application/json'], sprintf('{"username": "%s", "password": 1}', $username));
